Recently a few friends emailed me to say they received spam from my gmail. Gmail altered me to the fact my account was being access from China, and in the drafts folder I found another spam ready to be sent to my entire address book.

I'm a web developer but no expert on security. My password was 8 characters containing letters, numbers and special characters. Does this mean they found my password somewhere in plain text?

Now I'm worried they may have found, among the 10000's of emails since 2005 that are in my inbox, other passwords I use to access various servers, and other important personal data.

I use it. When I log in to Gmail with my e-mail address and password, I receive an SMS text with a random six-digit number on my mobile phone. I then have to enter this number in order to enter my account. Someone who doesn't have my mobile phone won't have the random six-digit number.

If it's a computer you use often, such as your home computer, you can tell Google to remember you for 30 days so you only have to do the full two-factor authentication about once a month.

One caveat: Two-step verification does make things a bit awkward when using mobile phone or tablet apps, which can't do the second step. Google allows you to create application-specific passwords (which consist of 16 random alpha characters) for these apps, which you can enter instead of your regular password in order to validate your account permanently with that app. You only have to do this once per app.

(If your phone resets itself and restores, you may have to do it again. But you can always delete the old application-specific password and create a brand new one if you need to.)

One of the most common ways accounts are compromised is when you sign up for another website, give them your Gmail address, and use the same password you use for your Gmail account. If the other website isn't secure and its database is compromised, the intruder has a list of email addresses and passwords and just has to try to see which ones work.

Your password might also be compromised through malware (keyloggers, etc) and phishing (when you are tricked into giving away your password).

If your account has been compromised, I strongly recommend following every step in the Gmail security checklist. In particular, make sure to set a strong, unique password for your Gmail account that you don't use with any other websites.

As for other passwords that were stored in your account, it would be a good precaution to change these as well. However, it sounds like the person who accessed your account was primarily interested in spamming, so these may be less urgent than securing your computer environment and your Gmail account.